TY - GEN
T1 - Detecting malicious exploit kits using tree-based similarity searches
AU - Taylort, Teryl
AU - Hut, Xin
AU - Wang, Ting
AU - Jang, Jiyong
AU - Stoecklint, Marc Ph
AU - Monroset, Fabian
AU - Sailer, Reiner
N1 - Funding Information:
We express our gratitude to the Computer Science networking staff (especially, Murray Anderegg and Bil Hayes) for their efforts in deploying some of the infrastructure used in this study. We also thank Douglas L. Schales for help with data procurement as well as Jan Werner, Kevin Snow, Andrew White, and the anonymous reviewers for their insightful comments. This work is supported in part by the National Science Foundation (with a supplement from the Department of Homeland Security) under award numbers 1127361 and 1421703. Any opinions, findings, and conclusions or recommendations expressed in this paper are those of the authors and do not necessarily reflect the views of the National Science Foundation or the Department of Homeland Security.
Publisher Copyright:
© 2016 ACM.
PY - 2016/3/9
Y1 - 2016/3/9
N2 - Unfortunately, the computers we use for everyday activities can be infiltrated while simply browsing innocuous sites that, unbeknownst to the website owner, may be laden with malicious advertisements. So-called malvertising, redirects browsers to web-based exploit kits that are designed to find vulnerabilities in the browser and subsequently download malicious payloads. We propose a new approach for detecting such malfeasance by leveraging the inherent structural patterns in HTTP traffic to classify exploit kit instances. Our key insight is that an exploit kit leads the browser to download payloads using multiple requests from malicious servers. We capture these interactions in a "tree-like" form, and using a scalable index of malware samples, model the detection process as a subtree similarity search problem. The approach is evaluated on 3800 hours of real-world traffic including over 4 billion flows and reduces false positive rates by four orders of magnitude over current state-of-the-art techniques with comparable true positive rates. We show that our approach can operate in near real-time, and is able to handle peak traffic levels on a large enterprise network - identifying 28 new exploit kit instances during our analysis period.
AB - Unfortunately, the computers we use for everyday activities can be infiltrated while simply browsing innocuous sites that, unbeknownst to the website owner, may be laden with malicious advertisements. So-called malvertising, redirects browsers to web-based exploit kits that are designed to find vulnerabilities in the browser and subsequently download malicious payloads. We propose a new approach for detecting such malfeasance by leveraging the inherent structural patterns in HTTP traffic to classify exploit kit instances. Our key insight is that an exploit kit leads the browser to download payloads using multiple requests from malicious servers. We capture these interactions in a "tree-like" form, and using a scalable index of malware samples, model the detection process as a subtree similarity search problem. The approach is evaluated on 3800 hours of real-world traffic including over 4 billion flows and reduces false positive rates by four orders of magnitude over current state-of-the-art techniques with comparable true positive rates. We show that our approach can operate in near real-time, and is able to handle peak traffic levels on a large enterprise network - identifying 28 new exploit kit instances during our analysis period.
UR - http://www.scopus.com/inward/record.url?scp=84964857978&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84964857978&partnerID=8YFLogxK
U2 - 10.1145/2857705.2857718
DO - 10.1145/2857705.2857718
M3 - Conference contribution
AN - SCOPUS:84964857978
T3 - CODASPY 2016 - Proceedings of the 6th ACM Conference on Data and Application Security and Privacy
SP - 255
EP - 266
BT - CODASPY 2016 - Proceedings of the 6th ACM Conference on Data and Application Security and Privacy
PB - Association for Computing Machinery, Inc
T2 - 6th ACM Conference on Data and Application Security and Privacy, CODASPY 2016
Y2 - 9 March 2016 through 11 March 2016
ER -